Netwrix CoSoSys Endpoint Protector through 5.9.3 and CoSoSys Unify through 7.0.6 contain a remote code execution vulnerability in the logging component of the Endpoint Protector and Unify server application which allows an unauthenticated remote attacker to send a malicious request, resulting in the ability to execute system commands with root privileges.
The vulnerability exists in the login component of the Endpoint Protector and Unify application server. An unauthenticated attacker remotely sends a specially crafted request to the vulnerable server. The login component processes it in an insecure manner, resulting in the execution of arbitrary system commands. These commands are executed with root privileges, meaning the highest possible permissions in the system.
An attacker gains full control over the server with root privileges, enabling data reading, modification and deletion, malicious software installation, and further lateral movement within the organization's network.
Apply patches available from the vendor according to references (Netwrix Help Center: kA0Qk0000001E5lKAE). Immediate update to versions higher than 5.9.3 (Endpoint Protector) and 7.0.6 (Unify) is recommended, as well as restricting network access to the application server only to trusted hosts.
Netwrix CoSoSys Endpoint Protector in versions up to and including 5.9.3 and CoSoSys Unify in versions up to and including 7.0.6.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H